Identifying targets of network attacks

ABSTRACT

Systems and methods are described to enable identification of computing resources targeted in a network attack. Network attacks, such as denial of service attacks, are frequently directed to network addresses that host multiple sets of content, each representing a distinct potential target of the network attack. Aspects of this disclosure enable each set of content to be assigned a unique or semi-unique combination of network addresses at which the set of content is accessible. During a network attack, a hosting system can compare the network addresses under attack to those assigned to each set of content to determine which sets of content are potentially targeted by the attack. Where the combination of network addresses is associated with only a single set of content, that set of content can be identified as the target of the network attack.

BACKGROUND

Generally described, computing devices utilize a communication network, or a series of communication networks, to exchange data. Companies and organizations operate computer networks that interconnect a number of computing devices to support operations or provide services to third parties. The computing systems can be located in a single geographic location or located in multiple, distinct geographic locations (e.g., interconnected via private or public communication networks). Specifically, data centers or data processing centers, herein generally referred to as “data centers,” may include a number of interconnected computing systems to provide computing resources to users of the data center. The data centers may be private data centers operated on behalf of an organization or public data centers operated on behalf, or for the benefit of, the general public.

Service providers or content creators (such as businesses, artists, media distribution services, etc.) can employ a series of interconnected data centers to deliver content (such as web sites, web content, or other digital data) to users or clients. These interconnected data centers are sometimes referred to as “content delivery networks” (CDNs) or content delivery systems. Existing routing and addressing technologies can enable multiple data centers associated with a content delivery system to provide similar or identical content to client computing devices. In some instances, each data center providing a set of content may be referred to as a point-of-presence (“POP”). A content delivery system can maintain POPs over a wide area (or worldwide) to enable the system to efficiently service requests from clients in a variety of locations.

Malicious entities occasionally attempt to disrupt the operations of service providers or content creators via network-based attacks (“network attacks”). One mechanism for doing so is a “denial of service” (DoS) attack. These attacks generally attempt to make a target computing device or network resource, such as a web site, unavailable to legitimate clients. One common instance of a DoS attack involves saturating the target device or network with external communications requests, such that it cannot respond to legitimate traffic, or it responds so slowly as to be rendered effectively unavailable. Because of the number of requests required to mount such an attack, responsibility for implementing the attack is often distributed across many computing devices. These distributed attacks are therefore known as “distributed denial of service” (DDoS) attacks. Because attacked targets, such as specific web sites or domain names, are often hosted or associated with a content delivery system, that system itself may also be targeted by the attack. Further, the content delivery system often hosts content on behalf of non-targeted systems or networks, which may also be affected by the attack due to their use of the content delivery system.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block diagram depicting an illustrative logical network 100 including multiple accessing computing devices 102 and content providers 104, as well as a content delivery system 110 including multiple points-of-presence 114;

FIG. 2 is a block diagram depicting interactions between a legitimate accessing computing device 102A and the content delivery system 110 of FIG. 1 to provide content hosted by the content delivery system 110 on behalf of a content provider 104;

FIG. 3 is a block diagram depicting implementation of a denial of service attack on the content delivery system 110 of FIG. 1 by a set of illegitimate accessing computing devices 102 and responsive actions of the content delivery system 110, including detection of the specific content targeted in the denial of service attack;

FIG. 4 is a flow chart depicting an illustrative routine for identifying the content hosted by the content delivery system 110 of FIG. 1 that is being targeted by a denial of service attack; and

FIG. 5 is a block diagram depicting an illustrative configuration of one embodiment of the target identification service 116 of FIG. 1.

DETAILED DESCRIPTION

Generally described, aspects of the present disclosure relate to identifying the target of a network attack, such as a denial of service (“DoS”) attack, directed towards a content delivery system hosting content of a multitude of potential targets. A potential target on a content delivery system can correspond to a specific set of content hosted by the content delivery system on behalf of a third-party content provider or an operator of the content distribution service itself. Such a set of content can be generally referred to as a “distribution,” and may correspond to a specific web site (e.g., as associated with a specific domain name) or other network-accessible service. Content delivery systems generally make distributions available at one or more network addresses (e.g., internet protocol or “IP” addresses), to which a computing device—either legitimate or malicious—may transmit a request for information. However, due to the limited nature of network address formats, it may be impossible or infeasible to uniquely assign network addresses to individual distributions. Thus, it may be difficult or impossible to determine, based on the network address to which a network attack is directed, which distribution sharing a given network address is the target of the attack. This, in turn, may limit the potential mitigation techniques available to the content delivery system. Accordingly, embodiments of the present disclosure enable a content delivery system to associate a unique or semi-unique combination of network addresses (e.g., internet protocol or “IP” addresses) with each distribution. Thereafter, a network attack directed to a combination of network addresses that is unique to a specific distribution can be quickly determined to be targeting that distribution, which can aid in mitigation of the attack.

Embodiments of the present application further enable a targeted distribution to be identified even when an attack is directed to less than an entire combination of network addresses shared by multiple distributions. For example, assuming that distributions are assigned unique combinations of four network addresses, embodiments of the application can enable a distribution subject to attack to be identified even when the attack targets only two network addresses (which may be shared with non-attacked distributions). As will be described below, a content delivery system may respond to such an attack by limiting the network availability of attacked network addresses. For example, a content delivery system may halt advertisement of an attacked network address within domain name system (DNS) queries, or may halt all processing of network traffic directed to an attacked address. Limiting the availability of attacked addresses can both serve to mitigate the attack, and cause the attack (should it proceed) to target additional network addresses of a target distribution. The content delivery system may then utilize the additional network addresses, in conjunction with the previously attacked network addresses, to identify the attacked distribution. Accordingly, the content delivery system may implement mitigation techniques to both limit the effects of the attack on the attacked distribution, as well as to ensure the continued availability of non-attacked distributions.

In one embodiment, unique combinations of network addresses may be assigned to each distribution based on a hashing algorithm, in connection with information regarding the distribution. For example, where each distribution is to be associated with a set of eight network addresses, each network address can be determined based on hashing a combination of the distribution's human-readable network identifier (e.g., a “domain name”) and the index of the desired network address (e.g., zero through seven). In some instances, the unique network addresses assigned to a distribution may vary across different POPs of the content delivery system. As such, each network address for a given distribution can be based on hashing a combination of the distributions human-readable network identifier, the index of the desired network address, and an identifier of the POP (e.g., as assigned by the content delivery system). In some embodiments, network addresses assigned to a distribution can be caused to vary based on time by including a time value (e.g., a current date) within the hash algorithm. One example of a hashing algorithm that may be used in accordance with the present disclosure is the MD5 message-digest algorithm, which is a cryptographic hash function that produces a 128 bit hash value as an output. Various additional examples of hashing algorithms themselves are well known in the art, and therefore will not be discussed in detail herein.

Because the values produced by hashing algorithms are generally larger than the number of network addresses available to a content delivery system (or specific POPs within a content delivery system), the hash values may be reduced to produce values within a range suitable to the content delivery system. For example, a content distribution system may determine the result of a modulo operation dividing each hash value by the number of network addresses available to the content delivery system (or a specific POP within the content delivery system). The result of the modulo operation can then indicate the index of a specific network address, from a collection of available network address, that corresponds to the hash value. For example, assume a content delivery system (or POP within the system) has 256 network addresses available, and wishes to assign eight network addresses to each served distribution. The content delivery system may calculate eight hashes for each served distribution and determine the result of a modulo operation dividing each hash by 256, resulting in a eight values each between zero and 255. This process would result in over four hundred trillion potential combinations of values, ensuring that each combination of eight network addresses is either unique or substantially unique.

After assigning a combination of network addresses to each distribution, the content delivery system can monitor for attacks, such as denial of service attacks, on the content delivery system. Due to the nature of such attacks, it is often trivial to determine the network addresses targeted by an attack but difficult to determine the targeted distribution. Specifically, a single network address (e.g., IP address) may serve content associated with distributions, each associated with a different human-readable network identifier (e.g., domain name or universal resource locator [URL]). During an attack, resolution of a network address from a network identifier (e.g., via the well-known DNS resolution process) may occur separately from—and often less frequently than—actual implementation of the attack on the network address. Moreover, the packets that form a part of the attack, which are generally specially created by an attacker, often do not specify the network identifier to which the attack is targeted. Thus, when an attack on a specific network address occurs, a content delivery system may be generally unable to directly determine which distribution associated with that specific network address is actually under attack.

In accordance with aspects of the present disclosure, when an attack on a network address is detected, a content delivery system may attempt to do a “reverse lookup” of the attacked distribution, by utilizing a similar algorithm to that described above with respect to assignment of network addresses. Specifically, a target identification service within the content delivery system may generate or obtain a listing of each distribution potentially targeted by the attack (e.g., each distribution on a specific POP under attack), and what combination of network addresses has been assigned to the distribution by the content delivery system. In some embodiments, this listing may be generated “on-the-fly” by the target identification service, by calculating a combination of network addresses for each distribution (as described above) in response to a request to resolve a network address into a corresponding distribution. In other embodiments, the target identification service may pre-compute a mapping of distributions and associated network address combinations using the hash-based calculation described above. In either instance, the target identification service can utilize the submitted network addresses to determine which of the hosted distributions are assigned to the submitted combination of network addresses. In the instance that a small number of distributions (e.g., at or below a specified threshold value, which may be one) are assigned to the submitted network addresses, the target identification service can identify those distributions. The content delivery system may then implement mitigation techniques to limit the effect of the attack on either or both of the attacked distribution or the content delivery system as a whole.

In the instance that a larger number of distributions (e.g., over a threshold value) are assigned to network addresses submitted to the target identification service, the service may attempt to limit access to the submitted network addresses in an attempt to either halt the attack or force the attack to move to additional network addresses. In one embodiment, the target identification service may instruct DNS servers associated with the content delivery system to remove the initially submitted network addresses (e.g., those currently under attack) from DNS service responses. Because client computing devices generally access distributions by first submitting a DNS request for the distribution, removing attacked network addresses from DNS service records may cause legitimate clients to attempt to connect to alternate network addresses, at least partially mitigating the attack.

In addition to removing attacked addresses from DNS record responses, the content delivery system 110 may also halt processing traffic directed to attacked addresses. Such halting is sometimes referred to as “blackholing” the network address, and generally involves discarding or “dropping” packets addressed to the network address, either at a receiving computing device or at an intermediary network device. This technique may be especially desirable during a denial of service attack, since intermediary network devices within the content delivery system (e.g., “edge devices”) may be able to process and discard packets that would otherwise overwhelm the resources of an attacked target.

In many instances, an attack on a distribution may continue even after access to the previously attacked network addresses has been limited (e.g., by removing the previously attacked network addresses from DNS responses or by “blackholing” the previously attacked network addresses). For example, an attacker may detect that the initial attack has been mitigated, and redirect the attack to additional network addresses associated with the distribution (which may be determined via DNS requests transmitted to the content delivery system either before or after limiting access to the previously attacked network addresses). Though continuation of the attack in undesirable, the content delivery system may utilize the additional network addresses to more specifically determine the distribution to which the attack is targeted. Specifically, the content delivery system may provide the additional network addresses to the target identification service, and request that the target identification service utilize the additional network addresses in conjunction with the initially attacked (and subsequently limited) network addresses to determine a distribution that is the target of the attack.

If this combination of network addresses is associated with a single distribution (or less than a predetermined threshold number of distributions), the content delivery system may implement mitigation techniques to mitigate the attack on that distribution. Alternatively, the content delivery system may continue to limit the availability of attacked network addresses until a single distribution (or less than a threshold number of distributions) has been identified as the target of the attack.

While examples are provided herein with respect to content distribution systems, embodiments of the present application may be implemented with respect to any network of computing devices that operates to serve discrete sets of content to client computing devices. Moreover, while some examples are provided with respect to a content distribution network as a whole, embodiments of the present application may also be implemented in whole or in part by discrete portions of the content delivery system. For example, each POP within a content delivery system may function to assign a unique or semi-unique combination of network addresses to the content of a distribution that is hosted at that POP, which may vary from the network addresses assigned to the same content of the distribution at a different POP. As a further example, each POP within a content delivery system may include a target identification service configured to identify an attacked distribution based on a combination of attacked network addresses. Thus, the examples provided herein are intended to be illustrative, and not exhaustive, in nature.

Further, while examples are provided herein utilizing a combination of network addresses (such as IP addresses) to uniquely identify a distribution, embodiments of the present application may additionally or alternatively assign to distributions a unique (or statistically likely to be unique) set of other addressing information. As used herein, addressing information includes any information provided by an accessing computing device to connect to a service provided by the content distribution system. By way of non-limiting example, sets of addressing information may include a network address, port number, or transmission protocol. Illustratively, each distribution on the content distribution service may be assigned eight network address and port number pairs. Thereafter, a network attack directed at some number of address and port number pairs could be compared to those address and port number pairs assigned to each distribution to identify a target of the attack. Similarly, each distribution on the content distribution service may be assigned some n number of sets of addressing information composed of a network address, port, and protocol. Because the number of unique sets of addressing information is much larger than the number of unique network addresses, use of sets of addressing information may enable the content distribution service to uniquely identify specific sets of content (or other services) using smaller combinations of addressing information.

As will be appreciated by one of skill in the art in light of the description above, the embodiments disclosed herein substantially increase the ability of computing systems, such as content delivery systems, to identity and mitigate network attacks on specific sets of content, such as a web site or domain name. Thus, the presently disclosed embodiments represent an improvement in the functioning of such computing systems, by enabling content delivery systems or other networked devices to continue to service legitimate client requests even while receiving large numbers of illegitimate requests. Moreover, the presently disclosed embodiments address technical problems inherent within computing systems; specifically, the limited ability of computing systems to process network-based requests, the limited number of network addresses available to computing systems, and the ambiguity in network addresses that results from providing content of multiple domain names from a single network address. These technical problems are addressed by the various technical solutions described herein, including the assignment and distribution of unique network address combinations for specific collections of content (e.g., individual distributions, network identifiers or domain names), the resolution of attacked network addresses to attack content, and the disambiguation of attacks directed to a non-unique combination of network addresses by iteratively limiting access to those attacked network addresses until a unique or semi-unique combination of network addresses is identified. Thus, the present application represents a substantial improvement on existing network systems and computing systems in general.

The foregoing aspects and many of the attendant advantages of the present disclosure will become more readily appreciated as the same become better understood by reference to the following, when taken in conjunction with the accompanying drawings.

FIG. 1 is a block diagram depicting an illustrative logical network 100 including multiple accessing computing devices 102 and multiple content providers 104 in communication with a content delivery system 110 via a network 106. While the accessing computing devices 102 and the content providers 104 are shown as a group within FIG. 1, the accessing computing devices 102 and content providers 104 may be geographically distant, and independently owned or operated. For example, the accessing computing devices 102 could represent a multitude of users in various global, continental, or regional locations accessing the content delivery system 110. Further, the content providers 104 could represent a multitude of related or distinct parties that have associated with the content delivery system 110 to provide content, such as web sites, multimedia, or other digital, network-deliverable content to the accessing computing devices 102. Accordingly, the groupings of accessing computing devices 102 and content providers 104 within FIG. 1 is intended to represent a logical, rather than physical, grouping. Similarly, each of the components of the content delivery system 110 may be located within geographically diverse areas. For example, the DNS servers 112 and POPS 114 within the content delivery system may be globally, continentally, or regionally disparate, in order to provide a wide geographical presence for the content delivery system 110.

Network 106 may be any wired network, wireless network, or combination thereof. In addition, the network 106 may be a personal area network, local area network, wide area network, cable network, satellite network, cellular telephone network, or combination thereof. In the example environment of FIG. 1, network 106 is a global area network (GAN), such as the Internet. Protocols and components for communicating via the other aforementioned types of communication networks are well known to those skilled in the art of computer communications and thus, need not be described in more detail herein. While each of the accessing computing devices 102, content providers 104, and content delivery system 110 is depicted as having a single connection to the network 106, individual components of the accessing computing devices 102, content providers 104, and content delivery system 110 may be connected to the network 106 at disparate points. Accordingly, communication times and capabilities may vary between the components of FIG. 1.

Accessing computing devices 102 may include any number of different computing devices capable of communicating with the content delivery system 110. For example, individual accessing computing devices may correspond to a laptop or tablet computer, personal computer, wearable computer, server, personal digital assistant (PDA), hybrid PDA/mobile phone, mobile phone, electronic book reader, set-top box, camera, digital media player, and the like. Further, accessing computing devices 102 may include devices utilized by both legitimate clients of the content delivery system 110 and devices utilized by malicious parties to undertake network-based attacks, such as DoS attacks, on the content delivery system 110.

Content providers 104 may include any computing device owned or operated by an entity that has provided content to the content delivery system 110 for subsequent transmission to client computing devices (which may include one or more accessing computing devices 102). For example, content providers 104 may include servers hosting web sites, streaming audio, video, or multimedia services, data analytics services, or other network-accessible services. While illustratively shown in FIG. 1 as a network-attached computing device, content providers 104 may additionally or alternatively provide content to the content delivery system 110 via non-networked communication channels (e.g., via physical delivery of data).

The content provided to the content delivery system 110 by the content providers 104 may be hosted in POPs 114. Each POP 114 may include a variety of computing devices configured to serve content to accessing computing devices 102. Accordingly, though not shown in FIG. 1, each POP 114 may include any number of processors, data stores, or networking components operating in conjunction to facilitate retrieval of content. Each POP 114 may be associated with a limited number of network addresses via which accessing computing devices 102 may address the POP 114 via the network 110. In one embodiment, each network address is an internet protocol version 4 (IPv4) or internet protocol version 6 (IPv6) address. For example, each POP 114 may be associated with one or more specific “blocks” of network addresses, such as the “192.168.0.0/24” block of IPv4 addresses (represented in classless inter-domain routing or “CIDR” notation, as is common in the art). Further, each POP 114 may be configured to provide multiple sets of content, each of which may be associated with a specific content provider 104. Generally, these discrete sets of content may be referred to herein as a “distribution.” Each distribution may represent a specific network-accessible service available from the POP 114 or the content delivery system 110 generally.

Because the number of distributions provided by a POP 114 can exceed the number of network addresses available to the POP 114, each distribution may be available at multiple network addresses. For example, a first network address “192.168.0.1” may service requests directed to the distributions “www.domain1.tld” and “www.domain2.tld,” while a second network address “192.168.0.2” may service requests directed to the distributions “www.domain3.tld” and “www.domain4.tld.” Each of these illustrative distributions may correspond to a distinct content, provider 104. One of ordinary skill in the art will recognize that the example network addresses and identifiers provided herein are illustrative in nature, and not intended to refer to any specific existing network address or identifier.

Each network address within a POP 114 may further be assigned to multiple computing devices (not separately shown in FIG. 1). Existing routing technologies, as are well known within the art, can enable the multiple computing devices to balance the load of requests directed to a specific network address By varying the number of computing devices assigned to a given network address, as well as the combination of network addresses assigned to specific distributions, the capabilities of each POP 114 may be scaled to address virtually any number of accessing computing devices 102.

The illustrative content delivery system 110 of FIG. 1 further includes a set of DNS servers 112 configured to resolve human-readable network identifiers of distributions (such as domain names or URLs) into network addresses (such as IP addresses) or addressing information sets (composed of addressing information, such as network address, port numbers, protocols, or combinations thereof) at which content of the distributions may be obtained. Illustratively, each DNS server 112 may include one or more processors, memories, and data storage devices collectively configured to receive requests from accessing computing devices 102 for a specific domain name associated with a distribution. The DNS servers 112 may further be configured, in response, to provide a combination of network addresses, associated with one or more computing devices within a POP 114, at which content of that distribution may be obtained. Thereafter, the accessing computing device 114 may communicate with the POP 114, via the combination of network addresses, to access the distribution. The specific operation of DNS servers 112 to receive and resolve requests for network addresses is well known within the art, and thus will not be described in detail herein.

In accordance with embodiments of the present disclosure, each DNS server 112 may be configured to distribute a specific combination of network addresses (or addressing information sets) for individual distributions, which network addresses (or addressing information sets) are selected such that there is a high statistical probability of the combination of network addresses uniquely identifying the individual distribution. In one embodiment, each DNS server 112 may select an integer n number of network addresses from a pool of k available network addresses, such that the total possible unique combinations of network addresses may be represented as the equation:

$\frac{n!}{{k!}{\left( {n - k} \right)!}}$

The value k (representing a number of network addresses within a pool of network addresses available to a distribution on the content delivery system 110 or a specific POP 114 of the content delivery system 110) may be selected by an operator of the content delivery system 110 based on the number of network addresses assigned to the system 110, the number of network addresses utilized for other tasks within the system 110, etc. The value n may be selected by an operator of the content delivery system 110 accordingly to multiple criteria, including but not limited to: ensuring that a sufficient number n of network addresses is assigned to a distribution to ensure availability of the distribution in the case of network failure or congestion; ensuring that a sufficient number of combinations (derived according to the formula above) for the value n exist, such that each distribution is statistically likely to be provided with a unique combination of network addresses; and reducing the proportion of the n network addresses needed to unique identify a distribution under attack. In one embodiment, n is equal to eight, while k is at least 128. While the values of n and k may be modified to address the needs of the content delivery system 110 (or a specific POP 114 within the content delivery system 110), the value of k is generally expected to exceed that of n, such that there is a high probability that an individual distribution can be uniquely identified by n network addresses.

To attribute network addresses to an individual distribution, the DNS servers 112 may maintain a list of available network addresses within an address pool, each associated with an index (e.g., of 0 through k−1). Each index may identify a “slot” associated with a specific network address that can be assigned to a distribution. For example, an index ‘1’ may be associated with the IPv4 address “192.168.0.1,” while the index ‘2’ may be associated with the IPv4 address “192.168.0.2.” In some instances, the list of available addresses may be configured such that the index of each address is equal to the final segment of the network address (e.g., index ‘1’ is associated with network address “192.168.0.1,” etc.). In other instances, the index of each address may be unrelated to the actual network address (e.g., index ‘1 may be associated with ‘192.168.0.5’, or any arbitrary address available to the content delivery system 110). While examples provided herein utilize the same three initial octets “192.168.0,” network addresses available to the DNS servers 112 may include any network address representable within a network address format used by the DNS servers 112 (e.g., IPv4, IPv6, etc.). Given a list of k addresses, each DNS server 112 may determine the indexes of network addresses to assign to a distribution according to the equation i=h(D+x)mod k where i represents the index of each network address within the list of network addresses, the function h( ) represents any of a number of widely known hashing functions (such as the MD5 hashing function), D represents an identifier of other information uniquely describing the distribution (e.g., a domain name), and x represents the specific network address 1 through n from the n network addresses to be assigned to the distribution. Though not shown in the equation above, DNS servers 114 may include additional information into the hashing function ho. For example, where a distribution is assigned a unique combination of network addresses at each individual POP 114, the hashing function may include an identifier of the POP 114 for which network addresses are sought. As a further example, the hashing function may include a temporal value (such as a current date), causing the combination of network addresses associated with a distribution to vary with time. Various additional values may be included within the hashing and are contemplated within the scope of the present disclosure. By utilizing the equation above, a DNS server 114 may determine a combination of network address from the list of available network addresses, and associate that network address to the distribution.

As discussed above, some embodiments of the present application may identify sets of content based on combinations of sets of addressing information, rather than network addresses. In such embodiments, the value of k within the equation above may represent the number of possible sets of addressing information (e.g., the possible combinations of available network addresses, ports, protocols, or other addressing information). The content delivery system may maintain a listing of each possible set of addressing information, and assign each distribution to a combination of sets of addressing information according to the algorithm above. Because the value of k when using sets of addressing information is likely to be much larger than when using networking addresses alone, a lower value of n may be possible while still maintaining a high likelihood that the combination of sets of addressing information uniquely identifies each distribution.

While some examples are provided herein with reference to a single pool of k addresses, in some embodiments, the content delivery system 110 (or each POP 114 within the content delivery system 110) may maintain multiple network address pools, each containing a set of network addresses available for association with distributions. In some instances, each pool may be associated with a different class of distribution, such that distributions with a normal risk of being targeted by a network attack may be classes as “normal” distributions, while distributions with a high risk of being targeted by a network attack (or which are currently potentially being targeted by a network attack are class as “high risk” distributions. Accordingly, the content delivery system 110 may be configured to determine a combination of network addresses for a “normal” distribution from a list of k addresses associated with a “normal” network address pool, and to determine a combination of network addresses for a “high risk” distribution from a list of k addresses associated with a “high risk” network address pool. In one embodiment, network address pools are contiguous blocks of IP addresses (e.g., a “/24” block in CIDR notation), and the IP addresses assigned to a specific distribution from any class of network address pool may vary only in the prefix of those IP addresses. For example, a given distribution may be assigned the addresses “192.168.0.1,” “192.168.0.3” and “192.168.0.19” if the distribution is classed as “normal” (where the “192.168.0/24” block of addresses is associated with “normal” distributions), and may be assigned the addresses “192.168.1.1,” “192.168.1.3” and “192.168.1.19” if the distribution is classed as “high risk” (where the “192.168.1/24” block of addresses is associated with “high risk” distributions). While two classes are illustratively described herein, the content delivery system 110 may maintain any number of classes of distributions, each associated with a pool of available network addresses. In some instances, a distribution may be re-classed in response to detection of a network attack, causing the combination of network addresses associated with the distribution to change from a first combination to a second combination. As described below, the content delivery system 110 may then monitor for a continuation of the network attack directed to additional network address from the second combination, and use those additional network addresses to determine a target of the attack on the content delivery system 110.

In some embodiments, the combination of network addresses associated with a distribution (or combinations, where multiple network address pools are utilized) may be precomputed by each DNS server 112, such that service of DNS requests to resolve a distribution identifier into a corresponding combination of network addresses may be fulfilled by referencing a pre-computed mapping of distribution identifiers to network addresses. In other embodiments, each DNS server 112 may calculate the combination (or combinations) of network addresses associated to a specific distribution in real time, while servicing a request to access the specific distribution. In yet other embodiments, the DNS server 112 may maintain a pre-computed list of network addresses for recently accessed distributions (e.g., within a cache memory), but calculate network addresses for other distributions in real time. While calculation of network addresses is described herein as executed by the DNS server 112 itself, other components of the content delivery system 112 may additionally or alternatively be configured to calculate network addresses for a distribution. For example, a central server (not shown in FIG. 1) may precompute network addresses for each distribution serviced by the content delivery system 110 (or specific POP 114) and transmit the precomputed network addresses to the relevant DNS servers 112 associated with those distributions. The DNS servers 112 may thereafter service requests by accessing computing devices 102 to resolve identifiers of distributions into a corresponding combination of network addresses.

The content delivery system 110 further includes a target identification service 116, which is configured to enable identification of a distribution based on one or more network addresses. Illustratively, the target identification service 116 may be utilized during an attack on the content delivery system 110 to enable the specific distribution targeted in the attack to be identified based on network addresses to which the attack is targeted. In one embodiment, the target identification service 116 is implemented centrally on the content delivery system 110, at one or more computing devices accessible throughout the content delivery system 110. In another embodiment, the target identification service 116 is a distributed service hosted at various locations within the content delivery system 110 (e.g., by computing devices associated with various POPs 114).

The target identification service 116 is illustratively configured to receive requests from within the content delivery system 110 (e.g., from automated attack detection systems within the content delivery system 110 or from human operators) which specify one or more attacked network addresses, and to attempt to resolve the attacked network addresses into an identifier of a distribution (e.g., a domain name). In one embodiment, the target identification service 116 utilizes the same algorithm described above with respect to the DNS servers 112, to compute a mapping between each potential distribution and a combination (or combinations) of network addresses. The target identification service 116 may then inspect the mapping to determine which distributions are associated with the attacked network addresses. Where the number of attacked network addresses is large with respect to n (the number of network addresses assigned to each distribution) it is statistically likely that the attacked network addresses will correspond to a single distribution. The target identification service 116 may therefore return an identifier of that distribution (e.g., a domain name) to the requesting party. In some instances, the content delivery system 110 may further be configured to utilize the returned identifier to attempt to mitigate the network attack.

However, especially where the number of attacked network addresses is small with respect to n, the target identification service 116 may be unable to identify the attacked distribution specifically. In some instances, specific identification of an attacked distribution may not be required. Instead, the target identification service 116 may be configured to identify the attacked distribution as one among no more than a threshold number of potential distributions that match the attacked network addresses. For example, assuming a threshold number of three, the target identification service 116 may be configured to identify the attacked distribution as either distribution A, B, or C, each of which may be associated with the attacked network addresses specified to the target identification service 116.

Where more than a threshold number of distributions are associated with a received combination of network addresses, the target identification service 116 may attempt to redirect the attack to additional network addresses. Specific interactions and functionalities for redirecting an attack to additional network addresses will be described with respect to FIG. 4 below. After an attack has been redirected to additional network addresses, the target identification service 116 can utilize the additional network addresses, in conjunction with those network addresses initially received, to uniquely identify the attacked distribution. For example, where a first set of three network addresses under attack are associated with both distributions A and B, the target identification service 116 may attempt to redirect the attack to an additional network address. Assuming this additional network address is associated with only distribution A, the target identification service 116 may identify distribution A as the distribution under attack. If the additional network address is associated with both distribution A and B, the target identification service 116 may continue to redirect the attack to additional network addresses until a unique distribution (or no more than a threshold number of distributions) can be identified. The content delivery system 110 can thereafter utilize the identification of the attacked distribution to mitigate the attack with respect to either or both the attacked distribution or the content delivery system 110 as a whole.

It will be appreciated by those skilled in the art that the content delivery system 110 may have fewer or greater components than are illustrated in FIG. 1. In addition, the content delivery system 110 could include various web services and/or peer-to-peer network configurations. Thus, the depiction of the content delivery system 110 in FIG. 1 should be taken as illustrative. For example, in some embodiments, components of the content delivery system 110, such as the target identification service 116, may be executed by one more virtual machines implemented in a hosted computing environment. A hosted computing environment may include one or more rapidly provisioned and released computing resources, which computing resources may include computing, networking and/or storage devices. A hosted computing environment may also be referred to as a cloud computing environment.

Any one or more of the DNS servers 112, the POPs 114, and target identification service 116 may be embodied in a plurality of components, each executing an instance of the respective DNS servers 112, POPs 114, and target identification service 116. A server or other computing component implementing any one of the DNS servers 112, POPs 114, and demand analysis service 116 may include a network interface, memory, processing unit, and computer readable medium drive, all of which may communicate which each other may way of a communication bus. The network interface may provide connectivity over the network 106 and/or other networks or computer systems. The processing unit may communicate to and from memory containing program instructions that the processing unit executes in order to operate the respective DNS servers 112, POPs 114, and demand analysis service 116. The memory may generally include RAM, ROM, other persistent and auxiliary memory, and/or any non-transitory computer-readable media.

FIG. 2 depicts a set of illustrative interactions for enabling a client to access a distribution on the content delivery system 110 via a combination of network addresses that uniquely or semi-uniquely identify the distribution, even where a portion of such network addresses are also associated with additional distributions. As noted above, utilization of a unique or semi-unique combination of network addresses to identify a distribution on a content delivery system 110 can enable a large number of distributions to be accessible via a limited combination of network addresses, while still enabling identification of a specific distribution targeted during a network attack. While FIG. 2 depicts a single interaction between an accessing computing device 102A and the content delivery system 110, these interactions may be repeated by any number of accessing computing devices 102 in order to access content on the content delivery system 110.

The interactions of FIG. 2 begin at (1), where an accessing computing device 102A requests a network address of a distribution of content on the content delivery system 110. For the purposes of description, the accessing computing device 102A is assumed to represent a legitimate client of the content delivery system 110. As such, the request for a network address may be automatically generated by software on the accessing computing device (e.g., a web browser) in response to a user's entry of a distribution identifier (e.g., a URL or domain name associated with the distribution). In one embodiment, the request of interaction (1) is a DNS request transmitted in accordance with the well-known DNS protocol. Though not shown in FIG. 1, the communication shown in interaction (1), as well as all communication shown in the various figures, may pass through any number of intermediary communication devices. For example, the request for a network address shown in interaction (1) may be initially transmitted from the accessing computing device 102A to an intermediary DNS server (such as those commonly provided by internet service providers), which may pass the request to the DNS server 112A.

Thereafter, at (2), the DNS server 112A may generate a combination of network addresses for the distribution identified in the request. As noted above, such a combination of network addresses may be generated by selecting a set of n addresses from a list of k network addresses within a network address pool maintained by the DNS server 112A (or k possible sets of addressing information, formed from a combination of network address, port, protocol, etc.). Each network address (or set of addressing information) within the list may be assigned an index i, and the indexes associated with a given distribution may be determined according to the equation: i=h(D+x)mod k where h represents a hash function, such as the MD5 hash function; D represents data uniquely identifying the distribution, such as a domain name; and x is a value from 1 to n, representing the xth network address within the n total network addresses to be associated with the distribution. In some embodiments, additional information may be included within the hash function. For example, the combinations of network addresses assigned to a distribution may be varied with time by including a temporal factor, such as the current date, within the hash function. As a further example, where distributions are to be assigned distinct combinations of network addresses on each POP 114A, the hash function may include an identifier of the POP 114A. The specific POP 114A selected for inclusion within the function may vary based on the specific distribution techniques of the content delivery system 110. Illustratively, the DNS server 112A may determine that the request should be resolved to network addresses of a specific POP 114A based on a geographic distance, network distance, latency, or other metric quantifying a relationship between the POP 114A and the accessing computing device 102A. Moreover, the DNS server 112A may determine that the request should be resolved to network addresses of a specific POP 114A based on the current load of various POPs 114A within the content delivery system 110 or other components of the content delivery system 110. Various additional techniques and mechanisms for selection of POPs in a content delivery system are well known within the art. In some instances, additional security information (e.g., a “salt”) may be added to reduce the likelihood that malicious parties can replicate the calculations achieved by the content delivery system 110.

As noted above, in some embodiments, the content delivery system 110 may utilize multiple network address pools, each associated with a class of distributions. In such embodiments, the interactions depicted at (2) may further include determining a current classification of the distribution identified in the request (e.g., as stored in one or more data stores of the content delivery system 110 not shown in FIG. 2). Thereafter, the DNS server 112A may select the n network addresses assigned to the distribution from a set of k network addresses within a pool associated with the current classification of the distribution. Thus, modifying the classification of the distribution may alter the combination of network addresses provided by the DNS server 112A for that distribution.

Generation of a combination of network addresses is illustratively described in FIG. 2 as occurring immediately in response to a request from the accessing computing device 102A. However, in some embodiments, combinations of network addresses for one or more distributions may be precomputed by the DNS server 112A, which may increase the speed at which the DNS server 112A may respond to such requests. For example, the DNS server 112A may include a cache memory (not shown in FIG. 2) that maintains a list of network addresses associated with frequently or recently accessed distributions. As a further example, the DNS server 112A may include a precomputed list of network addresses for all distributions associated with the DNS server 112A.

Thereafter, at (3), the DNS server 110 returns the generated combination of network addresses to the accessing computing device 102A. For the purposes of illustration, it is assumed that each of the returned combination of network addresses is associated with a computing device within the POP 114A. However, network addresses associated with multiple POPs 114 may be included within a single returned combination of network addresses. In one embodiment, each network address of the combination of network addresses may be included within a DNS “A record” (for IPv4 addresses) or “AAAA record” (for IPv6 addresses). The accessing computing device 102A may include software (e.g., a web browser) that automatically parses the returned information, and selects at least one network address from the combination of network addresses to which to transmit a request for content (e.g., a web page).

Thus, at (4), the accessing computing device 102A transmits a request for content, such as a web page, to a network address included within the returned combination of network addresses. This request is routed to the POP 114A, which as noted above includes a computing device associated with each network address within the returned combination of network addresses. Illustratively, the request may be a hypertext transfer protocol (HTTP) request, such as a GET request or POST request. In accordance with the HTTP protocol, the POP 114A can utilize information embedded within the request, such as a “host name” to identify a specific distribution (e.g., web site) from which content is requested.

Thereafter, the POP 114A can return the requested content to the accessing computing device 102A at (5). In this manner, a combination of network addresses may be associated each distribution of content on the content delivery system 110 to enable a large number of distributions to be served by a limited combination of network addresses, while still enabling identification of targeted distributions during a network attack.

One illustrative set of interactions for identifying a targeted distribution during an attack is shown within FIG. 3. Specifically, FIG. 3 depicts a network attack, such as a DDoS attack, being executed by a set of accessing computing devices 102 against the content delivery system 110. For the purposes of FIG. 3, it is assumed that the network attack has targeted a specific distribution (e.g., a specific web site) hosted on the content delivery system 110. In order to access that targeted distribution, the accessing computing devices 102, at (1), transmit a request to the DNS server 112A for a combination of network addresses associated with the distribution. Because it may be difficult or impossible to determine that a specific resolution request was created by malicious devices, the DNS server 112A, in response to the request, generates a combination of network addresses for the targeted distribution, and returns the network addresses to the accessing computing devices 102. These interactions (labeled as (2) and (3) in FIG. 3, respectively) are similar to the interactions (2) and (3) of FIG. 2, and therefore will not be described in detail with respect to FIG. 3.

Thereafter, at (4), the accessing computing devices 102 attempt to implement a network attack against one or more of the network addresses identified by the DNS server 112A. In some instances, the accessing computing devices 102 may implement an attack against each network address identified by the DNS server 112A. In other instances, the accessing computing devices may implement an attack against only a portion of the network addresses, or only a single network address identified by the DNS server 112.

In either instance, the interactions of FIG. 3 continue at (5), where the content delivery system 110 detects the network attack. In one embodiment, the content delivery system 110 detects the network attack by monitoring network traffic transmitted to the content delivery system 110, and identifying a large volume of anomalous traffic directed to the attacked network addresses. Additional illustrative systems and methods for detecting a network attack on a network communication system are provided within U.S. Pat. No. 8,997,227, entitled “Attack Traffic Signature Generation Using Statistical Pattern Recognition,” (the '227 patent) which is hereby incorporated by reference in its entirety.

Thereafter, at (6), the content delivery system 110 attempts to identify the specific distribution targeted by the network attack. As noted above, due to the limited number of network addresses available to the content delivery system 110, each attacked network address may be associated with a multitude of distributions. It may therefore be impossible to determine based on an individual network address which distribution is the target of an attack. Moreover, because data transmitted as part of a network attack is often malformed, it may be impossible or impractical to identify an attacked distribution by inspecting data packets transmitted as part of the attack.

However, because each distribution has been associated with a unique combination of network addresses, the content delivery system 110 may utilize the target identification service 116 to determine the attacked distribution from one or more attacked network addresses. Specifically, the target identification service 116 may obtain a listing of the currently attacked network addresses, and identify a set of distributions hosted by the content delivery system 110 that are associated with the attacked network addresses. In the instance that a single distribution is associated with the attack, the content delivery system may proceed to implement mitigation of the attack, as described below. In the instance that multiple distributions are associated with the attacked network addresses, the target identification service 116 can attempt to redirect the attack to additional network addresses, in order to identify additional network addresses associated with the attack. Redirection of an attack will be described in more detail with respect to FIG. 4, below. Generally, the target identification service 116 may continue to redirect an attack to additional network addresses until a combination of network addresses is obtained that uniquely identifies a targeted distribution.

After identifying a targeted distribution, the content delivery system 110, at (7), attempts to mitigate the network attack. In one embodiment, attack mitigation may include altering the configuration of the content delivery system 110 to reduce the effects of the attack on non-attacked distributions. For example, due to the shared nature of individual network addresses, there may be a set of distributions associated with one or more attacked network addresses, but not actually targeted by the attack. To partially mitigate the attack, the content delivery system 110 may disassociate these non-attacked distributions from attacked addresses (e.g., by removing the attacked network addresses from DNS responses for non-attacked distributions), or relocate content of the non-attacked distributions to alternate locations within the content delivery system. The content delivery system 110 may further modify the attacked distribution to mitigate the attack. For example, the content delivery system may expand the number of computing devices associated with the attacked distribution, the number of network addresses associated with the attacked distribution, or both. By increasing the resources available to the attacked distribution, the impact of the attack to legitimate clients can be minimized. Thus, the content delivery system 110 may utilize knowledge as to the specific distribution (or distributions) being attacked to more efficiently implement attack mitigation strategies. In some instances, these mitigation techniques may occur automatically in response to identification of a distribution targeted by the attack, without requiring initiation of the mitigation technique by an operator of the content delivery system 110. In other instances, an operator of the content delivery system 110 may manually implement mitigation techniques after identification of the distribution targeted by the attack.

With reference to FIG. 4, one illustrative routine 400 for identifying the target of a network attack within a content distribution system is described. The routine 400 may be carried out, for example, by the target identification service 116 of FIG. 1, either alone or in conjunction with additional elements of the content delivery system 110.

The routine 400 begins at block 402, where the target identification service 116 monitors the content delivery system 110 to detect a network attack. Illustratively, the target identification service 116 may detect a network attack on the content delivery system 110 by identifying a large number of anomalous packets transmitted to the system from one or more accessing computing devices. Further examples of systems and methods for detecting a network attack are described in more detail the '227 patent, incorporated by reference above.

Thereafter, the routine continues at block 404, wherein the target identification service 116 identifies one or more network addresses targeted by the attack. Each targeted network address may be identified by inspecting data packets of the attack, to determine a network address to which the packet is directed. In some embodiments, actual inspection of attack packets to determine those network addresses under attack may occur at additional components of the content delivery system 110, such as routing components in communication with accessing computing devices and the target identification service 116. Accordingly, the target identification service 116 may, in some instances, determine attacked network addresses based on communication from those additional components of the content delivery system 110.

After obtaining a combination of network addresses under attack, the routine continues at block 406, where the target identification service 116 maps the attacked network addresses to a set of distributions that are potential targets for the attack. Illustratively, the target identification service 116 may map network addresses to distributions by utilizing the same algorithm used by the DNS servers to determine network addresses for a distribution (as described in FIG. 2, above). Accordingly, the target identification service 116 may generate a mapping to identify, for each distribution within a specific POP 114 being attacked or for each distribution served by the content distribution system, a combination of network addresses associated with that distribution. One simplified illustration of a mapping between distributions and network addresses is shown below in TABLE 1. While only a limited number of network addresses is shown for each distribution within TABLE 1, distributions may be associated with any number of network addresses. The specific format and content of the distribution identifiers and network addresses shown in TABLE 1 is intended solely for illustrative purposes.

TABLE 1 Distribution Identifier Network Addresses distribution1.pop5.cdn.tld 192.168.0.1 192.168.0.2 192.168.0.3 distribution2.pop5.cdn.tld 192.168.0.1 192.168.0.3 192.168.0.4 distribution3.pop5.cdn.tld 192.168.0.2 192.168.0.4 192.168.0.5

As discussed above, the content delivery system 110 may, in some instances, utilize multiple pools of network addresses for distributions of different classes. Because a distribution's class may vary with time, the target identification server 116 may be configured to map a distribution to a different combination of network addresses for each class potentially associated with the distribution. Illustratively, where the content delivery system 110 utilizes three classes of addresses, the target identification server 116 may identify three combinations of network addresses associated with each distribution (one for each class), regardless of which class the distribution is currently classed within. In another embodiment, a history of classes associated with each distribution may be maintained within the content delivery system 110, such that the target identification server 116 may identify, for each distribution, a combination of network addresses associated with each historical classification of the distribution. Accordingly, Table 1, above, may be modified to include, for each distribution, multiple combinations of network addresses, each combination being associated with a different network address pool.

The target identification service 116 may then inspect the mapping to identify one or more distributions associated with the attacked network addresses, each of which constitutes a potential target for the attack. In reference to the illustrative data of TABLE 1, if a network attack were directed to the network address “192.168.0.5,” the target identification service 116 may determine that the attacked distribution corresponds to distribution identifier “distribution3.pop5.cdn.tld.” Similarly, if a network attack were directed to the network address “192.168.0.1,” the target identification service 116 may determine that the attacked distribution corresponds to either distribution identifier “distribution1.pop5.cdn.tld” or distribution identifier “distribution2.pop5.cdn.tld,” but not to distribution identifier “distribution3.pop5.cdn.tld”.

Thereafter, at block 408, the target identification service 116 may determine whether the number of previously identified distributions is less than or equal to a threshold value. Illustratively, the threshold value may be set to one to require that only a single distribution be identified as the target of an attack. Alternatively, the threshold value may be increased to allow for more than a single distribution to be identified as the target of an attack. Increasing the threshold value may be beneficial, for example, to allow mitigation techniques to be implemented more rapidly, to reduce the need to redirect network attacks (as described below), or to allow for the possibility of multiple simultaneous attacks on different distributions.

In the instance that the number of identified distributions is less than or equal to the threshold value, the routine 400 continues at block 414, where the target identification service 116 can attempt to mitigate the attack. As noted above, attack mitigation may include altering the configuration of the content delivery system 110 to reduce the effects of the attack on non-attacked distributions. Illustratively, the target identification service 116 may cause the content delivery system 110 to disassociate non-attacked distributions from attacked addresses (e.g., by removing the attacked network addresses from DNS responses for non-attacked distributions), or relocate content of the non-attacked distributions to alternate locations within the content delivery system. The target identification service 116 may further cause the content delivery system 110 to modify the attacked distribution in an effort to mitigate the attack (e.g., by expanding the number of computing devices associated with the attacked distribution, the number of network addresses associated with the attacked distribution, or both). Accordingly, the target identification service 116 may utilize knowledge of the identity of the attacked distribution to more effectively mitigate the network attack. The routine may then end at block 416.

In the instance that the number of identified distributions is greater than the threshold value, the routine 400 continues at block 410, where the target identification service 116 can attempt to redirect the network attack to additional network addresses. Specifically, at block 410, the target identification service 116 may transmit instructions to the DNS servers 112 within the content delivery system that cause the DNS servers 112 to stop including the initially attacked network addresses within any DNS records. In addition to helping to mitigate the attack directly (by redirecting legitimate computing devices to non-attacked network addresses), removal of the attacked network addresses may also redirect the attack to additional network addresses. For example, where an attack had been carried out on the network address “192.168.0.1,” removal of that address from DNS records may cause the attack to redirect to the network address “192.168.0.2.” Redirection of an attack may occur automatically or manually within the set of computing devices implementing the attack. For example, software used to execute an attack may automatically and continuously resolve a distribution identifier (e.g., a domain name) into a combination of network addresses, and select a subset of the resolved addresses to target in an attack. By removal of initially attacked network addresses from DNS records, such software can be caused to attack additional network addresses, thereby allowing the content delivery system 110 to accurately determine the specific distribution targeted in the attack. In other instances, an attacker may automatically or manually detect that an initially attacked network address has been removed from DNS records (e.g., by analyzing DNS records for the attacked distribution, by observing that the attacked distribution is still accessible, etc.), and redirect the attack to additional network addresses of the targeted distribution. Such additional network addresses may be known to the attacker from prior DNS records (e.g., obtained prior to an attack), or from DNS records received from the DNS servers 112 after removal of the initially attacked network addresses.

In one embodiment, removal of an attacked network address from DNS records for a distribution may reduce the number of network addresses those DNS records. For example, where a combination of n addresses is assigned to a distribution, removal of a single attacked network address form DNS records for the distribution may result in DNS records including n−1 network addresses. In other embodiments, DNS servers 112 may replace removed network addresses with alternative addresses assigned to the distribution. For example, where the content delivery system 110 associates distributions with multiple classes, each associated with distinct pools of network addresses, removal of an attacked network address from DNS records for a distribution may be achieved by altering a class of the distribution on the content delivery system 110. Illustratively, each distribution associated with an attacked network address may be reclassified from the “normal” class to the “high risk” class. Because each class can be associated with a different network address pool, reclassification of the distributions can cause the combination of network addresses distributed by the DNS servers 112 for the distributions to change. For example, the DNS servers 112 may halt distributing IP addresses in the “192.168.0/24” IP block for each attacked distribution, and begin distributing IP addresses in the “192.168.1/24” IP block. Such substitution of network address combinations can enable attacked network addresses to be removed from DNS records, without reducing the number of network addresses reported for each distribution. After redirection of the attack to one or more additional network addresses, the routine 400 can continue at block 402, where the target identification service 116 attempts to detect the attack on one or more additional network addresses. The target identification service 116 can then, at blocks 404 and 406, use these additional network addresses, in addition to the initially attacked network addresses, to identify a set of distributions potentially under attack. The target identification service 116 may continue to loop through blocks 402 through 410 until the decision at block 408 is satisfied. Thereafter, the routine 400 can continue at block 414, as described above. The routine 400 may then end at block 416.

One skilled in the art will appreciate that the routine 400 may include fewer or more interactions than described above. Illustratively, in addition to redirecting a network attack by removing attacked addresses from DNS records, the target identification service 116 may directly limit traffic to an attacked address. In one embodiment, the target identification service 116 may “blackhole” one or more attacked addresses by instructing routing devices within the content delivery system 110 to discard (or “drop”) packets directed to the attacked addresses. In addition to helping mitigate the network attack (by reducing the load on the content delivery system 110), this technique may serve to more effectively redirect a network attack to additional network addresses. Accordingly, the interactions of routine 400 are intended to be illustrative in nature, rather than exhaustive.

FIG. 5 depicts one embodiment of an architecture of a server 500 that may implement the target identification service 106 described herein. The general architecture of server 500 depicted in FIG. 5 includes an arrangement of computer hardware and software components that may be used to implement aspects of the present disclosure. As illustrated, the server 500 includes a processing unit 504, a network interface 306, a computer readable medium drive 507, an input/output device interface 520, a display 302, and an input device 524, all of which may communicate with one another by way of a communication bus. The network interface 306 may provide connectivity to one or more networks or computing systems, such as the network 106 of FIG. 1. The processing unit 504 may thus receive information and instructions from other computing systems or services via a network. The processing unit 504 may also communicate to and from memory 510 and further provide output information for an optional display 502 via the input/output device interface 520. The input/output device interface 520 may also accept input from the optional input device 524, such as a keyboard, mouse, digital pen, etc. In some embodiments, the server 500 may include more (or fewer) components than those shown in FIG. 5. For example, some embodiments of the server 500 may omit the display 502 and input device 524, while providing input/output capabilities through one or more alternative communication channel (e.g., via the network interface 306).

The memory 510 may include computer program instructions that the processing unit 504 executes in order to implement one or more embodiments. The memory 510 generally includes RAM, ROM and/or other persistent or non-transitory memory. The memory 510 may store an operating system 514 that provides computer program instructions for use by the processing unit 304 in the general administration and operation of the server 500. The memory 510 may further include computer program instructions and other information for implementing aspects of the present disclosure. For example, in one embodiment, the memory 510 includes user interface software 512 that generates user interfaces (and/or instructions therefor) for display upon a computing device, e.g., via a navigation interface such as a web browser installed on the computing device. In addition, memory 510 may include or communicate with one or more auxiliary data stores, such as data store 120.

In addition to the user interface module 512, the memory 510 may include target identification software 516 that may be executed by the processing unit 504. In one embodiment, the target identification software 516 implements various aspects of the present disclosure, e.g., determining the target distribution of a network attack based on one or more received network addresses. While the target identification software 516 is shown in FIG. 5 as part of the server 500, in other embodiments, all or a portion of the software may be implemented by alternative computing devices within the content delivery system 110, such as virtual computing devices within a hosted computing environment a part of the computing devices 204.

All of the methods and processes described above may be embodied in, and fully automated via, software code modules executed by one or more general purpose computers or processors. The code modules may be stored in any type of non-transitory computer-readable medium or other computer storage device. Some or all of the methods may alternatively be embodied in specialized computer hardware.

Conditional language such as, among others, “can,” “could,” “might” or “may,” unless specifically stated otherwise, are otherwise understood within the context as used in general to present that certain embodiments include, while other embodiments do not include, certain features, elements and/or steps. Thus, such conditional language is not generally intended to imply that features, elements and/or steps are in any way required for one or more embodiments or that one or more embodiments necessarily include logic for deciding, with or without user input or prompting, whether these features, elements and/or steps are included or are to be performed in any particular embodiment.

Disjunctive language such as the phrase “at least one of X, Y or Z,” unless specifically stated otherwise, is otherwise understood with the context as used in general to present that an item, term, etc., may be either X, Y or Z, or any combination thereof (e.g., X, Y and/or Z). Thus, such disjunctive language is not generally intended to, and should not, imply that certain embodiments require at least one of X, at least one of Y or at least one of Z to each be present.

Unless otherwise explicitly stated, articles such as ‘a’ or ‘an’ should generally be interpreted to include one or more described items. Accordingly, phrases such as “a device configured to” are intended to include one or more recited devices. Such one or more recited devices can also be collectively configured to carry out the stated recitations. For example, “a processor configured to carry out recitations A, B and C” can include a first processor configured to carry out recitation A working in conjunction with a second processor configured to carry out recitations B and C.

Any routine descriptions, elements or blocks in the flow diagrams described herein and/or depicted in the attached figures should be understood as potentially representing modules, segments, or portions of code which include one or more executable instructions for implementing specific logical functions or elements in the routine. Alternate implementations are included within the scope of the embodiments described herein in which elements or functions may be deleted, or executed out of order from that shown or discussed, including substantially synchronously or in reverse order, depending on the functionality involved as would be understood by those skilled in the art.

It should be emphasized that many variations and modifications may be made to the above-described embodiments, the elements of which are to be understood as being among other acceptable examples. All such modifications and variations are intended to be included herein within the scope of this disclosure and protected by the following claims. 

What is claimed is:
 1. A content delivery system comprising: a point of presence (“POP”) comprising a plurality of computing devices, the point of presence configured to retrieve content requests and transmit, in response to the content requests, a plurality of sets of content; a domain name system (“DNS”) server comprising one or more processors configured with specific computer-executable instructions to retrieve requests for network addresses of individual sets of content from the plurality of sets of content, and to respond to the requests for network addresses with a plurality of network addresses identifying computing devices from the point of presence at which the individual sets of content may be accessed; and one or more computing devices implementing a target lookup service, the one or more computing devices configured with specific computer-executable instructions to: detect a network attack on the content delivery system, the network attack directed to a plurality of attacked network addresses, wherein each attacked network address of plurality of attacked network addresses is associated with at least two of the plurality of sets of content on the content delivery system; generate a mapping between the individual sets of content and corresponding combinations of network addresses on the content delivery system at which the individual sets of content may be accessed, the corresponding combinations of network addresses determined based at least in part on identifiers of the individual sets of content; compare the plurality of attacked network addresses to the generated mapping to identify a first set of content from the plurality of sets of content that is associated with each attacked network address of the plurality of attacked network addresses; and identify the first set of content as a target of the network attack.
 2. The content delivery system of claim 1, wherein the identifiers of the individual sets of content are domain names of the individual sets of content.
 3. The content delivery system of claim 1, wherein the attacked network addresses are internet protocol (IP) addresses.
 4. The content delivery system of claim 1, wherein the network attack is a denial of service (DoS) attack.
 5. The content delivery system of claim 1, wherein the network addresses for an individual set of content are selected from a group of network addresses available to the plurality of sets of content.
 6. A computer-implemented method comprising: receiving a request from a user computing device for addressing information of a first set of content; determining at least two network addresses corresponding to the first set of content based at least in part on an identifier of the set of content; generating a DNS record including the at least two network addresses corresponding to the first set of content; transmit the DNS record to the user computing device; detecting a network attack on a content delivery system, the network attack directed to a plurality of attacked network addresses, wherein an attacked network address of the plurality of attacked network addresses is associated with at least two sets of content on the content delivery system, including the first set of content and the second set of content; generating a mapping between individual sets of content, including the first and second sets of content, and network addresses on the content delivery system at which the individual sets of content may be accessed, the network addresses on the content delivery system at which the individual sets of content may be accessed determined based at least in part on identifiers of the individual sets of content; comparing the plurality of attacked network addresses to the generated mapping to identify that the first set of content is associated with the plurality of attacked network addresses; and identifying the first set of content as a target of the network attack.
 7. The computer-implemented method of claim 6, wherein detecting the network attack on the content delivery system comprises receiving a notification of the network attack and a listing of the plurality of attacked network addresses.
 8. The computer-implemented method of claim 6, wherein the network addresses for an individual set of content are selected from a group of network addresses available to the plurality of sets of content based at least in part on hashing an identifier of the individual set of content.
 9. The computer-implemented method of claim 6 further comprising removing at least one of the plurality of attacked network addresses from DNS records associated with the identified set of content.
 10. The computer-implemented method of claim 6 further comprising removing at least one of the plurality of attacked network addresses from DNS records associated with an additional set of content on the content computing system.
 11. The computer-implemented method of claim 6, wherein comparing the plurality of attacked network addresses to the generated mapping to identify that the first set of content is associated with the plurality of attacked network addresses comprises determining that the plurality of attacked network addresses identify the first set of content on the content delivery system.
 12. The computer-implemented method of claim 6, wherein comparing the plurality of attacked network addresses to the generated mapping to that the first set of content is associated with the plurality of attacked network addresses comprises determining that the plurality of attacked network addresses identifies less than a threshold number of sets of content on the content delivery system.
 13. A system comprising: one or more computing devices implementing a target lookup service, the one or more computing devices configured with computer-executable instructions that, when executed, cause the one or more computing devices to: detect a network attack on a content delivery system, the network attack associated with at least two addressing information sets, wherein an addressing information set of the at least two addressing information sets is associated with at least two sets of content on the content delivery system; generate data mapping individual sets of content on the content delivery system to corresponding combinations of addressing information sets on the content delivery system; compare the at least two addressing information sets to the generated data to identify a first set of content on the content delivery system that is associated with the at least two addressing information sets; and identify the first set of content as a target of the network attack; and a DNS system comprising at least one computing device configured with computer-executable instructions that, when executed, cause the DNS system to: receive a request from a user computing device for addressing information of the first set of content; determine the at least two addressing information sets corresponding to the first set of content based at least in part on an identifier of the first set of content; generate a DNS record including the at least two addressing information sets corresponding to the first set of content; and transmit the DNS record to the user computing device.
 14. The system of claim 13, wherein the computer-executable instructions further cause the one or more computing devices to determine that the plurality of attacked network addresses identifies the first set of content on the content delivery system.
 15. The system of claim 13, wherein the computer-executable instructions further cause the one or more computing devices to determine that the plurality of attacked network addresses identifies less than a threshold number of sets of content on the content delivery system.
 16. The system of claim 13, wherein the computer-executable instructions further cause the one or more computing devices to determine the combinations of addressing information sets corresponding to the individual sets of content based at least in part on processing identifiers of the individual sets of content according to a hashing function.
 17. The system of claim 16, wherein the computer-executable instructions cause the one or more computing devices to determine the combinations of addressing information sets corresponding to the individual sets of content in response to detection of the network attack.
 18. The system of claim 16, wherein the computer-executable instructions cause the one or more computing devices to determine the combinations of addressing information sets corresponding to the individual sets of content prior to detection of the network attack.
 19. The system of claim 13, wherein individual addressing information sets of at least two addressing information sets identify multiple computing devices on the content delivery system at which the set of content is available. 